Remove mitre url

rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml

@@ -3,7 +3,6 @@ id: 0fcd1c79-4eeb-4746-aba9-1b458f7a79cb
 status: experimental
 description: Detects remote RPC calls to create or execute a scheduled task via ATSvc
 references:
-    - https://attack.mitre.org/techniques/T1053/
     - https://attack.mitre.org/tactics/TA0008/
     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md

rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml

@@ -3,7 +3,6 @@ id: 56fda488-113e-4ce9-8076-afc2457922c3
 status: experimental
 description: Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.
 references:
-    - https://attack.mitre.org/techniques/T1033/
     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN
     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md
     - https://github.com/zeronetworks/rpcfirewall
@@ -13,6 +12,7 @@ date: 2022/01/01
 modified: 2022/01/01
 tags:
     - attack.t1033
+    - attack.discovery
 logsource:
     product: rpc_firewall
     category: application

rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml

@@ -3,7 +3,6 @@ id: ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d
 status: experimental
 description: Detects remote RPC calls to create or execute a scheduled task
 references:
-    - https://attack.mitre.org/techniques/T1053/
     - https://attack.mitre.org/tactics/TA0008/
     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md

rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml

@@ -4,8 +4,6 @@ status: experimental
 description: Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.
 references:
     - https://attack.mitre.org/tactics/TA0008/
-    - https://attack.mitre.org/techniques/T1021/003/
-    - https://attack.mitre.org/techniques/T1047/
     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
     - https://github.com/zeronetworks/rpcfirewall
     - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/

rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml

@@ -3,7 +3,6 @@ id: 35c55673-84ca-4e99-8d09-e334f3c29539
 status: experimental
 description: Detects remote RPC calls to modify the registry and possible execute code
 references:
-    - https://attack.mitre.org/techniques/T1112/
     - https://attack.mitre.org/tactics/TA0008/
     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78
     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md
@@ -14,6 +13,7 @@ date: 2022/01/01
 modified: 2022/01/01
 tags:
     - attack.lateral_movement
+    - attack.t1112
 logsource:
     product: rpc_firewall
     category: application

rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml

@@ -4,7 +4,6 @@ status: experimental
 description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
 references:
     - https://attack.mitre.org/tactics/TA0008/
-    - https://attack.mitre.org/techniques/T1569/002/
     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md
     - https://github.com/zeronetworks/rpcfirewall

rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml

@@ -3,7 +3,6 @@ id: aff229ab-f8cd-447b-b215-084d11e79eb0
 status: experimental
 description: Detects remote RPC calls to create or execute a scheduled task via SASec
 references:
-    - https://attack.mitre.org/techniques/T1053/
     - https://attack.mitre.org/tactics/TA0008/
     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md

rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml

@@ -3,7 +3,6 @@ id: 65f77b1e-8e79-45bf-bb67-5988a8ce45a5
 status: experimental
 description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
 references:
-    - https://attack.mitre.org/techniques/T1087/
     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3
     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md
     - https://github.com/zeronetworks/rpcfirewall
@@ -13,6 +12,7 @@ date: 2022/01/01
 modified: 2022/01/01
 tags:
     - attack.t1087
+    - attack.discovery
 logsource:
     product: rpc_firewall
     category: application

rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml

@@ -3,7 +3,6 @@ id: 6d580420-ff3f-4e0e-b6b0-41b90c787e28
 status: experimental
 description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
 references:
-    - https://attack.mitre.org/techniques/T1033/
     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183
     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md
     - https://github.com/zeronetworks/rpcfirewall

rules/cloud/aws/aws_ecs_task_definition_backdoor.yml

@@ -8,7 +8,6 @@ description: |
 references:
     - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py
     - https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html
-    - https://attack.mitre.org/techniques/T1525
 author: Darin Smith
 date: 2022/06/07
 tags:

rules/cloud/aws/aws_snapshot_backup_exfiltration.yml

@@ -4,7 +4,6 @@ status: test
 description: Detects the modification of an EC2 snapshot's permissions to enable access from another account
 references:
     - https://www.justice.gov/file/1080281/download
-    - https://attack.mitre.org/techniques/T1537/
 author: Darin Smith
 date: 2021/05/17
 modified: 2021/08/19

rules/cloud/azure/azure_ad_user_added_to_admin_role.yml

@@ -3,7 +3,6 @@ id: ebbeb024-5b1d-4e16-9c0c-917f86c708a7
 status: test
 description: User Added to an Administrator's Azure AD Role
 references:
-    - https://attack.mitre.org/techniques/T1098/003/
     - https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/
 author: Raphaël CALVET, @MetallicHack
 date: 2021/10/04

rules/cloud/azure/azure_federation_modified.yml

@@ -3,7 +3,6 @@ id: 352a54e1-74ba-4929-9d47-8193d67aba1e
 status: experimental
 description: Identifies when an user or application modified the federation settings on the domain.
 references:
-    - https://attack.mitre.org/techniques/T1078
     - https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes
 author: Austin Songer
 date: 2021/09/06

rules/cloud/azure/azure_mfa_disabled.yml

@@ -3,7 +3,6 @@ id: 7ea78478-a4f9-42a6-9dcd-f861816122bf
 status: experimental
 description: Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.
 references:
-    - https://attack.mitre.org/techniques/T1556/
     - https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
 author: '@ionsor'
 date: 2022/02/08

rules/linux/auditd/lnx_auditd_audio_capture.yml

@@ -5,7 +5,6 @@ description: Detects attempts to record audio with arecord utility
 references:
     - https://linux.die.net/man/1/arecord
     - https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa
-    - https://attack.mitre.org/techniques/T1123/
 author: 'Pawel Mazur'
 date: 2021/09/04
 modified: 2022/10/09

rules/linux/auditd/lnx_auditd_clipboard_collection.yml

@@ -6,7 +6,6 @@ description: |
   Xclip has to be installed.
   Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
 references:
-    - https://attack.mitre.org/techniques/T1115/
     - https://linux.die.net/man/1/xclip
     - https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/
 author: 'Pawel Mazur'

rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml

@@ -6,7 +6,6 @@ description: |
   Xclip has to be installed.
   Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
 references:
-    - https://attack.mitre.org/techniques/T1115/
     - https://linux.die.net/man/1/xclip
 author: 'Pawel Mazur'
 date: 2021/10/01

rules/linux/auditd/lnx_auditd_disable_system_firewall.yml

@@ -4,7 +4,6 @@ status: experimental
 description: Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md
-    - https://attack.mitre.org/techniques/T1562/004/
     - https://firewalld.org/documentation/man-pages/firewall-cmd.html
 author: 'Pawel Mazur'
 date: 2022/01/22

rules/linux/auditd/lnx_auditd_hidden_files_directories.yml

@@ -4,7 +4,6 @@ status: test
 description: Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
-    - https://attack.mitre.org/techniques/T1564/001/
 author: 'Pawel Mazur'
 date: 2021/09/06
 modified: 2022/10/09

rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml

@@ -3,7 +3,6 @@ id: 45810b50-7edc-42ca-813b-bdac02fb946b
 status: test
 description: Detects appending of zip file to image
 references:
-    - https://attack.mitre.org/techniques/T1027/003/
     - https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/
 author: 'Pawel Mazur'
 date: 2021/09/09

rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml

@@ -4,7 +4,6 @@ status: test
 description: Detect attempt to enable auditing of TTY input
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md
-    - https://attack.mitre.org/techniques/T1003/
     - https://linux.die.net/man/8/pam_tty_audit
     - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing
     - https://access.redhat.com/articles/4409591#audit-record-types-2

rules/linux/auditd/lnx_auditd_load_module_insmod.yml

@@ -6,7 +6,6 @@ description: |
     Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.
     Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.
 references:
-    - https://attack.mitre.org/techniques/T1547/006/
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md
     - https://linux.die.net/man/8/insmod
     - https://man7.org/linux/man-pages/man8/kmod.8.html

rules/linux/auditd/lnx_auditd_password_policy_discovery.yml

@@ -4,7 +4,6 @@ status: stable
 description: Detects password policy discovery commands
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md
-    - https://attack.mitre.org/techniques/T1201/
     - https://linux.die.net/man/1/chage
     - https://man7.org/linux/man-pages/man1/passwd.1.html
     - https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu

rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml

@@ -3,7 +3,6 @@ id: 2625cc59-0634-40d0-821e-cb67382a3dd7
 status: test
 description: Detects a reload or a start of a service.
 references:
-    - https://attack.mitre.org/techniques/T1543/002/
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md
 author: Jakob Weinzettl, oscd.community
 date: 2019/09/23

rules/linux/auditd/lnx_auditd_screencapture_import.yml

@@ -7,7 +7,6 @@ description: |
   ImageMagick must be installed.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md
-    - https://attack.mitre.org/techniques/T1113/
     - https://linux.die.net/man/1/import
     - https://imagemagick.org/
 author: 'Pawel Mazur'

rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml

@@ -4,7 +4,6 @@ status: test
 description: Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture
-    - https://attack.mitre.org/techniques/T1113/
     - https://linux.die.net/man/1/xwd
 author: 'Pawel Mazur'
 date: 2021/09/13

rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml

@@ -3,7 +3,6 @@ id: ce446a9e-30b9-4483-8e38-d2c9ad0a2280
 status: test
 description: Detects embeding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
 references:
-    - https://attack.mitre.org/techniques/T1027/003/
     - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/
 author: 'Pawel Mazur'
 date: 2021/09/11

rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml

@@ -3,7 +3,6 @@ id: a5a827d9-1bbe-4952-9293-c59d897eb41b
 status: test
 description: Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
 references:
-    - https://attack.mitre.org/techniques/T1027/003/
     - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/
 author: 'Pawel Mazur'
 date: 2021/09/11

rules/linux/auditd/lnx_auditd_system_info_discovery.yml

@@ -3,7 +3,6 @@ id: f34047d9-20d3-4e8b-8672-0a35cc50dc71
 status: test
 description: Detects System Information Discovery commands
 references:
-    - https://attack.mitre.org/techniques/T1082/
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md
 author: 'Pawel Mazur'
 date: 2021/09/03

rules/linux/auditd/lnx_auditd_systemd_service_creation.yml

@@ -3,7 +3,6 @@ id: 1bac86ba-41aa-4f62-9d6b-405eac99b485
 status: experimental
 description: Detects a creation of systemd services which could be used by adversaries to execute malicious code.
 references:
-    - https://attack.mitre.org/techniques/T1543/002/
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md
 author: 'Pawel Mazur'
 date: 2022/02/03

rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml

@@ -3,7 +3,6 @@ id: edd595d7-7895-4fa7-acb3-85a18a8772ca
 status: test
 description: Detects extracting of zip file from image file
 references:
-    - https://attack.mitre.org/techniques/T1027/003/
     - https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/
 author: 'Pawel Mazur'
 date: 2021/09/09

rules/linux/builtin/lnx_shell_clear_cmd_history.yml

@@ -4,7 +4,6 @@ status: test
 description: Clear command history in linux which is used for defense evasion.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md
-    - https://attack.mitre.org/techniques/T1070/003/
     - https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics
 author: Patrick Bareiss
 date: 2019/03/24

rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml

@@ -10,6 +10,7 @@ date: 2020/06/16
 modified: 2022/10/05
 tags:
     - attack.persistence
+    - attack.t1548.001
 logsource:
     product: linux
     category: process_creation

rules/windows/builtin/security/win_security_access_token_abuse.yml

@@ -3,7 +3,6 @@ id: 02f7c9c1-1ae8-4c6a-8add-04693807f92f
 status: experimental
 description: 'This rule tries to detect token impersonation and theft. (Example: DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON32_LOGON_NEW_CREDENTIALS flag.)'
 references:
-    - https://attack.mitre.org/techniques/T1134/001/
     - https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation
     - https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html
 author: Michaela Adams, Zach Mathis

rules/windows/process_creation/proc_creation_win_control_panel_item.yml

@@ -3,7 +3,6 @@ id: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4
 status: test
 description: Detects the malicious use of a control panel item
 references:
-    - https://attack.mitre.org/techniques/T1196/
     - https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
 author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)
 date: 2020/06/22
@@ -14,6 +13,7 @@ tags:
     - attack.t1218.002
     - attack.persistence
     - attack.t1546
+    - attack.t1196
 logsource:
     product: windows
     category: process_creation

rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml

@@ -3,7 +3,7 @@ id: 63de06b9-a385-40b5-8b32-73f2b9ef84b6
 status: experimental
 description: Attackers may leverage fsutil to enumerated connected drives.
 references:
-    - Turla has used fsutil fsinfo drives to list connected drives. https://attack.mitre.org/techniques/T1120/
+    - Turla has used fsutil fsinfo drives to list connected drives.
     - https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml
 author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
 date: 2022/03/29

rules/windows/process_creation/proc_creation_win_hack_hydra.yml

@@ -4,7 +4,6 @@ status: test
 description: Detects command line parameters used by Hydra password guessing hack tool
 references:
     - https://github.com/vanhauser-thc/thc-hydra
-    - https://attack.mitre.org/techniques/T1110/001/
 author: Vasiliy Burov
 date: 2020/10/05
 modified: 2021/11/27

rules/windows/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml

@@ -3,7 +3,7 @@ id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458
 status: test
 description: Detects creation or execution of UserInitMprLogonScript persistence method
 references:
-    - https://attack.mitre.org/techniques/T1037/
+    - https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html
 author: Tom Ueltschi (@c_APT_ure), Tim Shelton
 date: 2019/01/12
 modified: 2022/05/31

rules/windows/process_creation/proc_creation_win_nltest_recon.yml

@@ -5,8 +5,6 @@ description: Detects nltest commands that can be used for information discovery
 references:
     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)
     - https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/
-    - https://attack.mitre.org/techniques/T1482/
-    - https://attack.mitre.org/techniques/T1016/
     - https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters
     - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
 author: Craig Young, oscd.community, Georg Lauenstein

rules/windows/process_creation/proc_creation_win_proc_wrong_parent.yml

@@ -6,7 +6,6 @@ references:
     - https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
     - https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/
     - https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
-    - https://attack.mitre.org/techniques/T1036/
 author: vburov
 date: 2019/02/23
 modified: 2022/02/14

rules/windows/process_creation/proc_creation_win_renamed_binary.yml

@@ -3,7 +3,6 @@ id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
 status: test
 description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
 references:
-    - https://attack.mitre.org/techniques/T1036/
     - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
     - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
 author: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades)

rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml

@@ -3,7 +3,6 @@ id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
 status: test
 description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
 references:
-    - https://attack.mitre.org/techniques/T1036/
     - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
     - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
 author: Matthew Green - @mgreen27, Florian Roth

rules/windows/process_creation/proc_creation_win_run_virtualbox.yml

@@ -3,7 +3,6 @@ id: bab049ca-7471-4828-9024-38279a4c04da
 status: experimental
 description: Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.
 references:
-    - https://attack.mitre.org/techniques/T1564/006/
     - https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
     - https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/
 author: Janantha Marasinghe

rules/windows/process_creation/proc_creation_win_tools_relay_attacks.yml

@@ -3,7 +3,6 @@ id: 5589ab4f-a767-433c-961d-c91f3f704db1
 status: test
 description: Detects different hacktools used for relay attacks on Windows for privilege escalation
 references:
-    - https://attack.mitre.org/techniques/T1557/001/
     - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
     - https://pentestlab.blog/2017/04/13/hot-potato/
     - https://github.com/ohpe/juicy-potato